Method and apparatus for preventing insertion of malicious content at a named data network router

ABSTRACT

An object-forwarding device can block a malicious Content Object from being inserted into an Interest&#39;s reverse path over a named data network. During operation, the device can receive a Content Object via a first interface, and can perform a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object. The device then determines, from the PIT entry, an egress interface used to forward the Interest. If the device determines that the egress interface of the PIT entry matches the first interface for the Content Object, the device forwards the Content Object via a return interface specified in the PIT entry. On the other hand, if the egress interface of the PIT entry does not match the first interface for the Content Object, the device can block the Content Object.

BACKGROUND

1. Field

This disclosure is generally related to computer networks. More specifically, this disclosure is related to controlling the flow of Content Objects over a Named Data Network.

2. Related Art

In a content centric network (CCN), a client device can obtain data by disseminating an Interest message that includes a name for this data. Routers along the CCN store a reverse path for the Interest, and propagate this Interest toward a content producer that can provide the requested data. Once the content producer returns a Content Object that satisfies the Interest, the routers forward the Content Object to the client device along the reverse path.

Unfortunately, it may be possible for a malicious entity to inject malicious data into the Interest's reverse path. To prevent malicious data from being returned to the client device, some routers may perform cryptographic authentication operations on the Content Objects to authenticate the Content Objects or their senders. However, performing this cryptographic authentication on every Content Object can significantly diminish the runtime performance of these routers.

SUMMARY

One embodiment provides an object-forwarding device that blocks a malicious Content Object from being inserted into an Interest's reverse path over a named data network. During operation, the device can receive a Content Object via a first interface, and can perform a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object. The device then determines, from the PIT entry, an egress interface used to forward the Interest. If the device determines that the egress interface of the PIT entry matches the first interface for the Content Object, the device forwards the Content Object via a return interface specified in the PIT entry. On the other hand, if the egress interface of the PIT entry does not match the first interface for the Content Object, the device can block the Content Object.

In some embodiments, the egress interface includes a physical interface.

In some embodiments, the egress interface includes a virtual interface.

In some variations to these embodiments, the virtual interface is associated with a Conjunctive Normal Form (CNF) expression that describes a logical relationship for a set of interfaces.

In some embodiments, the device can receive a second Interest via a second interface, and performs a lookup operation in a Forwarding Information Base, based on the second Interest's name, to determine an egress interface for forwarding the second Interest. Once the device forwards the second Interest via the egress interface, the device can create a new entry in the PIT for the Interest. This new PIT entry can include the egress interface used to forward the Interest.

In some embodiments, while performing the lookup operation in the PIT, the device determines whether a hierarchically structured variable-length identifier (HSVLI) of the PIT entry matches the Interest's name.

In some embodiments, the PIT entry includes a name field storing a hash value. Also, while performing the lookup operation in the PIT, the device determines whether the PIT entry's hash value matches a hash of the Interest's name.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 illustrates a computing environment that facilitates blocking a malicious Content Object from being inserted into an Interest's reverse path over a named data network in accordance with an embodiment.

FIG. 2 illustrates exemplary communication for a forwarder that blocks a malicious Content Object from being inserted into an Interest's reverse path in accordance with an embodiment.

FIG. 3 presents a flow chart illustrating a method for creating an entry in a Pending Interest Table to map an Interest's name to an ingress interface and an egress interface for the Interest in accordance with an embodiment.

FIG. 4 illustrates an exemplary Pending Interest Table in accordance with an embodiment.

FIG. 5 presents a flow chart illustrating a method for determining whether to block or forward a Content Object based on a corresponding PIT entry in accordance with an embodiment.

FIG. 6 illustrates an exemplary apparatus that facilitates blocking a malicious Content Object from being inserted into an Interest's reverse path in accordance with an embodiment.

FIG. 7 illustrates an exemplary computer system that facilitates blocking a malicious Content Object from being inserted into an Interest's reverse path in accordance with an embodiment.

In the figures, like reference numerals refer to the same figure elements.

DETAILED DESCRIPTION

The following description is presented to enable any person skilled in the art to make and use the embodiments, and is provided in the context of a particular application and its requirements. Various modifications to the disclosed embodiments will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other embodiments and applications without departing from the spirit and scope of the present disclosure. Thus, the present invention is not limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein.

Overview

Embodiments of the present invention provide a router that solves the problem of preventing malicious entities from injecting malicious data into a data stream over a named data network (NDN). For example, a client device can obtain data over the NDN by disseminating an Interest message that includes a name for this data, which establishes a reverse path along routers to a content producer that can provide the requested data. It is possible for other network devices to “inject” malicious data into this reverse path by forwarding Content Objects that include the Interest's name to a router along the reverse path. Hence, a malicious entity may exploit this vulnerability to provide fraudulent data to clients that access an online service, or even to the online service itself.

If the malicious entity succeeds in injecting malicious data at a router along the reverse path, this router discards the reverse path information it has for the Interest since the router is no longer expecting to receive a Content Object for the Interest. If the router receives a Content Object from the online service after discarding the reverse path information, the router will effectively block the Content Object given that the reverse path information no longer exists. Hence, the malicious entity may also exploit this vulnerability to implement a denial-of-service (DoS) attack by preventing clients of the online service from receiving data from the online service.

In some embodiments, a router of the NDN can prevent a malicious entity from injecting data into a pending Interest's reverse path by keeping track of which egress interface was used to forward an Interest, and only returning a Content Object that is received via its corresponding Interest's interface. For example, the NDN router can store this egress interface in a Pending Interest Table (PIT). This way, when the router performs a lookup operation on the PIT based on a Content Object's name, the router can obtain a PIT entry that includes the egress interface that was used to forward the corresponding Interest, along with a return interface that is to be used to forward the Content Object. If the Content Object was not received via the Interest's egress interface, the router can block the Content Object as it may have been maliciously inserted into the reverse path. Otherwise, the router can proceed to return the Content Object via the return interface as usual.

The following terms describe elements of a named data network (NDN) architecture, such as a content-centric network (CCN):

Content Object: A single piece of named data, which is bound to a unique name. Content Objects are “persistent,” which means that a Content Object can move around within a computing device, or across different computing devices, but does not change. If any component of the Content Object changes, the entity that made the change creates a new Content Object that includes the updated content, and binds the new Content Object to a new unique name.

Name: A name in an NDN is typically location independent and uniquely identifies a Content Object. A data-forwarding device can use the name or name prefix to forward an Interest packet toward a network node that generates or stores the Content Object, regardless of a network address or physical location for the Content Object. In some embodiments, the name may be a hierarchically structured variable-length identifier (HSVLI). The HSVLI can be divided into several hierarchical components, which can be structured in various ways. For example, the individual name components parc, home, ndn, and test.txt can be structured in a left-oriented prefix-major fashion to form the name “/parc/home/ndn/test.txt.” Thus, the name “/parc/home/ndn” can be a “parent” or “prefix” of “/parc/home/ndn/test.txt.” Additional components can be used to distinguish between different versions of the content item, such as a collaborative document.

In some embodiments, the name can include a non-hierarchical identifier, such as a hash value that is derived from the Content Object's data (e.g., a checksum value) and/or from elements of the Content Object's name. A description of a hash-based name is described in U.S. patent application Ser. No. 13/847,814 (entitled “ORDERED-ELEMENT NAMING FOR NAME-BASED PACKET FORWARDING,” by inventor Ignacio Solis, filed 20 Mar. 2013), which is hereby incorporated by reference. A name can also be a flat label. Hereinafter, “name” is used to refer to any name for a piece of data in a name-data network, such as a hierarchical name or name prefix, a flat name, a fixed-length name, an arbitrary-length name, or a label (e.g., a Multiprotocol Label Switching (MPLS) label).

Interest: A packet that indicates a request for a piece of data, and includes a name (or a name prefix) for the piece of data. A data consumer can disseminate a request or Interest across an information-centric network, which NDN routers can propagate toward a storage device (e.g., a cache server) or a data producer that can provide the requested data to satisfy the request or Interest.

In some embodiments, the NDN system can include a content-centric networking (CCN) architecture. However, the methods disclosed herein are also applicable to other NDN or other information-centric network (ICN) architectures as well. A description of a CCN architecture is described in U.S. patent application Ser. No. 12/338,175 (entitled “CONTROLLING THE SPREAD OF INTERESTS AND CONTENT IN A CONTENT CENTRIC NETWORK,” by inventors Van L. Jacobson and Diana K. Smetters, filed 18 Dec. 2008), which is hereby incorporated by reference.

FIG. 1 illustrates a computing environment 100 that facilitates blocking a malicious Content Object from being inserted into an Interest's reverse path over a named data network in accordance with an embodiment. Computing environment 100 can include a named-data network 102 (or any information-centric network now known or later developed), which can include a plurality of routing nodes or network nodes that can forward an Interest packet based on the name of the content being requested by the Interest packet, toward a content producer that can satisfy the Interest.

NDN 102 can include one or more forwarders 104 that can forward an Interest toward a content producer associated with the Interest's name prefix, and that can return a Content Object from the content producer along the Interest's reverse path. For example, a respective forwarder may be a router, a peer network device (e.g., a client device), or any network device in NDN 102. The forwarder can include a Forwarding Information Base (FIB) for determining an egress interface for an Interest, and can include a Content Store (CS) for caching Content Objects. The forwarder can also include a Pending Interest Table (PIT) for determining a return interface for returning a Content Object along its corresponding Interest's reverse path.

The PIT can also store an egress interface for an Interest, which the forwarder can use to perform a quick check as to whether a Content Object may be valid. Many forwarders 104 may not be able to properly authenticate the Content Object or its sender when they do not have the necessary keys. Also, some forwarders 104 may be configured to not perform cryptographic authentication on these Content Objects to avoid incurring the latencies associated with authentication. Hence, to perform the quick check, the forwarders can use the egress interface from the Interest's PIT entry to verify that the Content Object arrived through the same interface that was used to forward the Interest.

For example, computing environment 100 can include a client device 106, which can include a smartphone, a tablet computer, a personal computing device (e.g., a laptop), or any computing device that can disseminate Interests and receive Content Objects via NDN 102. After client device 106 disseminates an Interest, forwarders 104.1, 104.2, and 104.4 can forward the Interest toward a content producer 108 that can return a Content Object that satisfies this Interest. These forwarders update their PIT to include an interface for the Interest's reverse path, as well as an egress interface along for the Interest's the forward path.

As a further example, computing environment 100 can also include a malicious entity 110 that attempts to insert a malicious content object 112 into the Interest's reverse path at forwarder 104.2. Forwarder 104.2 can use the egress interface from the corresponding PIT entry to determine that malicious content object 112 was not received via the same interface that forwarder 104.2 used to forward the Interest (e.g., not the same as the interface to content producer 108).

Hence, the forwarders in NDN 102 can perform a quick interface-based check to block content that has been maliciously inserted into an Interest's reverse path. If a malicious Content Object happens to make it past these quick checks and arrives at device 106, it is still possible for device 106 to perform a definitive authentication operation to authenticate the Content Object or its sender. For example, device 106 can perform an authentication operation on malicious Content Object 112, and rejects Content Object 112 after determining that Malicious Entity 110 is not authorized to provide data for the Interest's name prefix.

FIG. 2 illustrates exemplary communication for a forwarder that blocks a malicious Content Object from being inserted into an Interest's reverse path in accordance with an embodiment. During operation a client device 202 can disseminate an Interest 210 over the NDN. Interest 210 may arrive at a forwarder 204 (e.g., a router), which forwards Interest 210 to a device 206. After forwarding Interest 210, forwarder 204 can create an entry in a local PIT to store the Interest's ingress interface and egress interface in association with the Interest's name.

In some embodiments, a malicious device 208 may try to insert malicious data into the reverse path for Interest 210 by sending a Content Object 208, whose name matches that of Interest 210, to forwarder 204. At this point, forwarder 204 can perform a lookup operation in the PIT to determine whether a matching Interest was received. The lookup operation may return a PIT entry for Interest 210, which forwarder 204 uses to determine both the ingress interface and egress interface for Interest 210. However, upon determining that the interface from which forwarder 204 received Content Object 212 does not match the egress interface for Interface 210 (e.g., the egress interface to device 206), forwarder can block Content Object 212 and retains the matching PIT entry in the local PIT.

At a later time, device 206 can return a Content Object 206 that satisfies Interest 210 to forwarder 204. For example, device 206 may be a Content Producer that generates Content Object 206 locally or obtains Content Object 206 from a local repository. Alternatively, device 206 may include a router or forwarder that obtains Content Object 206 from another forwarder or a content producer, or from a content store (e.g., a local cache). After receiving Content Object 214, forwarder 204 can once again perform a lookup operation in the local PIT to obtain the PIT entry for Interest 210. This time, upon determining that the interface associated with Content Object 214 matches the egress interface for Interface 210, forwarder 204 proceeds to forward Content Object 214 to device 202, and removes the matching PIT entry in the local PIT.

FIG. 3 presents a flow chart illustrating a method 300 for creating an entry in a Pending Interest Table to map an Interest's name to an ingress interface and an egress interface for the Interest in accordance with an embodiment. During operation, a router can receive an Interest (operation 302), and determines an ingress interface from which the router received the Interest (operation 304).

The router then performs a lookup operation in a Forwarding Information Base (FIB), using the Interest's name, to determine an egress interface for forwarding the Interest (operation 306). For example, the FIB can include a plurality of entries that each are associated with an HSVLI name or name prefix, or a hash-based name. The router can perform a longest prefix match lookup to select a FIB entry whose name provides a longest match to the Interest's name. This FIB entry maps the name prefix to a physical or virtual interface toward a content producer that can provide data that satisfies the Interest.

The router then forwards the Interest using the egress interface (operation 308), and creates a new entry in a local Pending Interest Table (PIT) for the Interest (operation 310). This new PIT entry maps the Interest's name to the Interest's ingress interface and egress interface (operation 312). The router can use the egress interface of this PIT entry to block malicious Content Objects with the Interest's name that arrive via a different interface.

In some embodiments, the new PIT entry's interfaces can include a physical interface, or can include a virtual interface that is associated with a Conjunctive Normal Form (CNF) expression that describes a logical relationship for a set of interfaces. For example, if the router forwards an Interest via multiple physical interfaces, the router can associate these multiple interfaces with one logical interface, and adds this logical interface to the PIT entry as the egress interface. This way, when the router receives the corresponding Content Object whose name matches the PIT entry's name, the router can check whether the physical interface from which the Content Object arrived satisfies the CNF expression for the PIT entry's logical egress interface.

FIG. 4 illustrates an exemplary Pending Interest Table 400 in accordance with an embodiment. Specifically, PIT 400 can include a plurality of rows that each corresponds to a PIT entry, and can include a name column 402, an ingress interface column 404, and an egress interface column 406. Name column 402 can include names for a set of pending Interests, such as an HSVLI or a hash-based name. Ingress interface column 404 includes interfaces from which Interests are received, and egress interface column 406 includes interfaces through which Interests were forwarded. Hence, a respective PIT entry maps a pending Interest's name to an ingress interface and an egress interface for the pending Interest.

In some embodiments, a PIT entry can include express header hashes. For example, name column 402 of a PIT entry can store a similarity hash for an Interest instead of an Interest's full name, and egress interface column 406 of the PIT entry can store one or more forwarding hashes for interfaces that were used to forward the Interest. Note that when storing the similarity hash in name column 402, it is possible for two pending Interests to map to the same similarity hash. Typically, in this situation, the router may use the first PIT entry that matches the similarity hash to return the Content Object. However, in some embodiments, the router improves the accuracy of the PIT lookup operation for express header hashes by only using a PIT entry to determine a return interface for a Content Object when the Content Object's name and interface match the PIT entry's similarity hash and forwarding hash.

FIG. 5 presents a flow chart illustrating a method 400 for determining whether to block or forward a Content Object based on a corresponding PIT entry in accordance with an embodiment. During operation, the router can receive a Content Object (operation 502), and determines an ingress interface from which the router received the Content Object (operation 504).

The router then performs a lookup operation in a local PIT to identify a PIT entry associated with the Content Object's name (operation 506). For example, the Content Object's name can include an HSVLI or a hash-based name. While performing the lookup operation, the router searches for a PIT entry with a name that exactly matches the Content Object's name. The router then determines, from the PIT entry, an egress interface that was used to forward an Interest associated with the PIT entry (operation 508).

The router then determines whether the Content Object's ingress interface matches the Interest's egress interface (operation 510). If so, the Content Object is possibly valid, and the router proceeds to return the Content Object along the Interest's reverse path. In doing so, the router can determine a return Interface from the PIT entry (operation 512), and forwards the Content Object via the return interface (operation 514).

However, if the Content Object's ingress interface does not match the Interest's egress interface, the Content Object is likely to include malicious data. Hence, the router blocks the Content Object (operation 516), for example, by discarding the Content Object without forwarding the Content Object along the reverse path. Note that when the router blocks the Content Object, the router does not remove the PIT entry that matches the Content Object's name. This allows the router to forward a valid Content Object along the Interest's reverse path at a later time.

FIG. 6 illustrates an exemplary apparatus 600 that facilitates blocking a malicious Content Object from being inserted into an Interest's reverse path in accordance with an embodiment. Apparatus 600 can comprise a plurality of modules which may communicate with one another via a wired or wireless communication channel. Apparatus 600 may be realized using one or more integrated circuits, and may include fewer or more modules than those shown in FIG. 6. Further, apparatus 600 may be integrated in a computer system, or realized as a separate device which is capable of communicating with other computer systems and/or devices. Specifically, apparatus 600 can comprise a communication module 602, an Interest-processing module 604, an object-processing module 606, an Interface-determining module 608, and an Interface-checking module 610.

In some embodiments, communication module 602 can receive an Interest via a first interface, and Interest-processing module 604 can perform a lookup operation in a FIB to determine an egress interface for forwarding the Interest. Interface-checking module 610 can create a new entry in the PIT for the Interest, which includes an ingress interface and the egress interface for the Interest.

Communication module 602 can also receive a Content Object via a second interface, and object-processing module 606 can perform a lookup operation in a PIT to identify a PIT entry for an Interest associated with the Content Object. Interface-determining module 608 can determine, from the PIT entry, an egress interface used to forward the Interest. Interface-checking module 610 can also determine whether the egress interface of the PIT entry matches the first interface for the Content Object.

FIG. 7 illustrates an exemplary computer system 702 that facilitates blocking a malicious Content Object from being inserted into an Interest's reverse path in accordance with an embodiment. Computer system 702 includes a processor 704, a memory 706, and a storage device 708. Memory 706 can include a volatile memory (e.g., RAM) that serves as a managed memory, and can be used to store one or more memory pools. Furthermore, computer system 702 can be coupled to a display device 710, a keyboard 712, and a pointing device 714. Storage device 708 can store operating system 716, a packet-forwarding system 718, and data 730.

Packet-forwarding system 718 can include instructions, which when executed by computer system 702, can cause computer system 702 to perform methods and/or processes described in this disclosure. Specifically, packet-forwarding system 718 may include instructions for receiving an Interest or receiving a Content Object over a named data network (communication module 720). Further, packet-forwarding system 718 can include instructions for performing a lookup operation in a FIB to determine an egress interface for forwarding the Interest (Interest-processing module 722), and can include instructions for creating a new entry in the PIT for the Interest, which includes an ingress interface and the egress interface for the Interest (interface-checking module 728).

Packet-forwarding system 718 can include instructions for performing a lookup operation in a PIT to identify a PIT entry for an Interest associated with the Content Object (object-processing module 724). Packet-forwarding system 718 can also include instructions for determining, from the PIT entry, an egress interface used to forward the Interest (interface-determining module 726). Further, packet-forwarding system 718 can include instructions for determining whether the egress interface of the PIT entry matches the first interface for the Content Object (interface-checking module 728).

Data 730 can include any data that is required as input or that is generated as output by the methods and/or processes described in this disclosure.

The data structures and code described in this detailed description are typically stored on a computer-readable storage medium, which may be any device or medium that can store code and/or data for use by a computer system. The computer-readable storage medium includes, but is not limited to, volatile memory, non-volatile memory, magnetic and optical storage devices such as disk drives, magnetic tape, CDs (compact discs), DVDs (digital versatile discs or digital video discs), or other media capable of storing computer-readable media now known or later developed.

The methods and processes described in the detailed description section can be embodied as code and/or data, which can be stored in a computer-readable storage medium as described above. When a computer system reads and executes the code and/or data stored on the computer-readable storage medium, the computer system performs the methods and processes embodied as data structures and code and stored within the computer-readable storage medium.

Furthermore, the methods and processes described above can be included in hardware modules. For example, the hardware modules can include, but are not limited to, application-specific integrated circuit (ASIC) chips, field-programmable gate arrays (FPGAs), and other programmable-logic devices now known or later developed. When the hardware modules are activated, the hardware modules perform the methods and processes included within the hardware modules.

The foregoing descriptions of embodiments of the present invention have been presented for purposes of illustration and description only. They are not intended to be exhaustive or to limit the present invention to the forms disclosed. Accordingly, many modifications and variations will be apparent to practitioners skilled in the art. Additionally, the above disclosure is not intended to limit the present invention. The scope of the present invention is defined by the appended claims. 

What is claimed is:
 1. A computer-implemented method, comprising: receiving a Content Object via a first interface; performing a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object; determining, from the PIT entry, an egress interface used to forward the Interest; and responsive to determining that the egress interface of the PIT entry matches the first interface for the Content Object, forwarding the Content Object via a return interface specified in the PIT entry.
 2. The method of claim 1, further comprising: responsive to determining that the egress interface of the PIT entry does not match the first interface for the Content Object, blocking the Content Object from being forwarded via the return interface.
 3. The method of claim 1, wherein the egress interface includes a physical interface.
 4. The method of claim 1, wherein the egress interface includes a virtual interface.
 5. The method of claim 4, wherein the virtual interface is associated with a Conjunctive Normal Form (CNF) expression that describes a logical relationship for a set of interfaces.
 6. The method of claim 1, further comprising: receiving a second Interest via a second interface; performing a lookup operation in a Forwarding Information Base, based on the second Interest's name, to determine an egress interface for forwarding the second Interest; and responsive to forwarding the second Interest via the egress interface, creating a new entry in the PIT for the Interest, wherein the new PIT entry includes the egress interface used to forward the Interest.
 7. The method of claim 1, wherein the PIT entry includes a name field storing one or more of: a hierarchically structured variable-length identifier (HSVLI); and a hash value.
 8. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method, the method comprising: receiving a Content Object via a first interface; performing a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object; determining, from the PIT entry, an egress interface used to forward the Interest; and responsive to determining that the egress interface of the PIT entry matches the first interface for the Content Object, forwarding the Content Object via a return interface specified in the PIT entry.
 9. The storage medium of claim 8, further comprising: responsive to determining that the egress interface of the PIT entry does not match the first interface for the Content Object, blocking the Content Object from being forwarded via the return interface.
 10. The storage medium of claim 8, wherein the egress interface includes a physical interface.
 11. The storage medium of claim 8, wherein the egress interface includes a virtual interface.
 12. The storage medium of claim 11, wherein the virtual interface is associated with a Conjunctive Normal Form (CNF) expression that describes a logical relationship for a set of interfaces.
 13. The storage medium of claim 8, further comprising: receiving a second Interest via a second interface; performing a lookup operation in a Forwarding Information Base, based on the second Interest's name, to determine an egress interface for forwarding the second Interest; and responsive to forwarding the second Interest via the egress interface, creating a new entry in the PIT for the Interest, wherein the new PIT entry includes the egress interface used to forward the Interest.
 14. The storage medium of claim 8, wherein the PIT entry includes a name field storing one or more of: a hierarchically structured variable-length identifier (HSVLI); and a hash value.
 15. An apparatus, comprising: a communication module to receive a Content Object via a first interface; an object-processing module to perform a lookup operation in a Pending Interest Table (PIT) to identify a PIT entry for an Interest associated with the Content Object; an interface-determining module to determine, from the PIT entry, an egress interface used to forward the Interest; an interface-checking module to determine whether the egress interface of the PIT entry matches the first interface for the Content Object; and wherein responsive to the interface-checking module determining that the egress interface of the PIT entry matches the first interface for the Content Object, the communication module is further configured to forward the Content Object via a return interface specified in the PIT entry.
 16. The apparatus of claim 15, wherein responsive to determining that the egress interface of the PIT entry does not match the first interface for the Content Object, the communication module is further configured to block the Content Object from being forwarded via the return interface.
 17. The apparatus of claim 15, wherein the egress interface includes a physical interface.
 18. The apparatus of claim 15, wherein the egress interface includes a virtual interface.
 19. The apparatus of claim 18, wherein the virtual interface is associated with a Conjunctive Normal Form (CNF) expression that describes a logical relationship for a set of interfaces.
 20. The apparatus of claim 15, wherein the communication module is further configured to receive a second Interest via a second interface; wherein the apparatus further comprises an Interest-processing module to perform a lookup operation in a Forwarding Information Base, based on the second Interest's name, to determine an egress interface for forwarding the second Interest; and wherein the interface-checking is further configured to create a new entry in the PIT for the Interest, wherein the new PIT entry includes the egress interface used to forward the Interest, responsive to the communication module forwarding the second Interest via the egress interface.
 21. The apparatus of claim 15, wherein the PIT entry includes a name field storing one or more of: a hierarchically structured variable-length identifier (HSVLI); and a hash value. 